Adaptive Business Continuity Fringe or Frontier A discussion

Adaptive Business Continuity Fringe or Frontier? A discussion on the work of Dr. David Lindstedt and Mark Armour led by Russ Laughlin

This Presentation • Will not train you on Adaptive BC • Will not advocate Adaptive BC as a solution – Is it a fringe idea or the frontier of BC? • Will ask you to think about where our profession is headed • Will encourage discussion and ideas about the direction of the BC profession, our careers, our chapter

Changing Business Landscape • Many companies (Oracle included) are adopting Agile / lean methodologies – What does BC look like in an Agile world? • It is not clear where traditional BC sits in the changing landscape – What is “resiliency” and where does ACP fit? – What is “risk management” and where does ACP fit?

Rothstein Publishing Available in Kindle or Hard Copy From Amazon

Disclaimer • I am not an expert in Adaptive Business Continuity • I am presenting my interpretation • Anyone in the audience with background in Agile methodology or Adaptive BC? • For those familiar with Adaptive Business Continuity, please plan to contribute with corrections and your personal experiences

High-level Overview • Adaptive Business Continuity is intended to address perceived limitations in the Business Continuity discipline • The concept is inspired by and modeled after Agile Methodology • Radically changes BC approach – Changes focus from documentation to preparedness – Changes focus from compliance to recoverability • Only a couple of years old and seems more theory than practical application

Problems Facing Traditional BC • Traditional BC has not clearly delineated itself from related disciplines: – Risk Management – Crisis Management – Project Management – Physical Security – Resiliency • Traditional BC has not clearly demonstrated its value at the C level • Traditional BC has little visibility at the academic level (one example is Norwich University, which offers an MS in BC)

Problem – Where does BC Fit? • Traditional Risk Management includes – Financial Risk – Computer Security – Insurance • Traditional Crisis Management includes – Network Operations Centers – Physical Security Operations Centers – Public Relations • BC projects are a small subset of Project Management • Physical Security – Executive Protection – Property Protection • “Resiliency” is still defining itself but may be the best fit for BC

Project Management Example 1. In the early 1990’s, Project Management was not considered a profession nor were practitioners recognized as having unique skillsets 2. The Project Management Institute sponsored initatives to • Expose research and academic institutions to project management practices and encourage them to explore the effectiveness of these practices • Research found PM techniques brought value to the organization • PMI published results of these studies widely 3. The result was to substantially enhance the perceived value of both the discipline and its practitioners 4. Eventually PM began to evolve with the introduction of Agile and lean techniques

Difference Between Adaptive and Traditional • Traditional BC seeks to define processes for managing a BC program • Adaptive BC seeks to define a framework for preparing organizations to continue business in the event of disruption

Adaptive BC Manifesto Nine Principles 1. 2. 3. 4. 5. 6. 7. 8. Deliver Continuous Value Document Only for Mnemonics Engage at many levels within the organization Exercise for improvement, not for testing Learn the business Measure and benchmark Obtain incremental direction from leadership Omit the Risk Assessment and Business Impact Analysis 9. Prepare for effects, not causes

Adaptive BC Eliminates 1. 2. 3. 4. 5. 6. The Business Impact Analysis Recovery Time Targets The Risk Assessment Explicit Executive Support Requirements to document the plan Requirements to test the process

Business Impact Analysis Problems 1. BIA confirms assumptions about criticalities rather than identifying criticalities 2. The BIA assumes an organization with welldefined processes and activity-based costing. In reality, few organizations have that maturity 3. The BIA is inherently inaccurate since it needs information not available during the analysis 4. The BIA needs to be aligned against information that is based on cursory analysis

Recovery Time Target Problems 1. RTO estimates are too arbitrary: business owners tend to overestimate the value of their services. Further, the amount of time a business can go without a service depends on the circumstances of the incident. 2. RTO requirements tend to set the wrong tone. Often technical teams feel the requirements are too arbitrary 3. RTO targets create risk/cost by being potentially unrealistic

Risk Assessment Problems 1. BC is not a Risk Management discipline; Risk Assessment belongs in Risk Management 2. RA takes time away from more appropriate and valuable BC tasks 3. RA is becoming increasingly complex 4. The BIA needs to be aligned against information that is based on cursory analysis

Explicit Executive Support Problems 1. Executive support is not required in other professions or disciplines 2. Obtaining executive support adds unnecessary overhead 3. Executive support is not required for success

Documentation Problems 1. Documentation grows increasingly less useful over time 2. Plans are often a poor fit for the actual situations encountered 3. Plans grow in size and become increasingly difficult to use 4. Focus on documentation distracts from effective response planning

Testing Problems 1. Testing reinforces the concepts of (a) time as an objective and (b) plans as scripts 2. Testing drives participants to focus on meeting the plan objectives instead of on the broader need for effective recovery 3. Testing wastes opportunities to make meaningful improvement

Recoverability 1. Terms often equated or conflated a) Resilience, continuity planning, sustainability, disaster recovery, survivability, risk management 2. Adaptive BC avoids all these terms and instead proposes the term recoverability a) This is our “niche” b) This is how we differentiate BC from other disciplines 3. Recoverability: The ability to restore services, individually and/or holistically, following a physical and/or staffing loss

Four Principles of Adaptive BC 1. Preparing for recovery is not prevention 2. Recoverability is not survivability or resilience 3. Recoverability concerns recovery from a physical and/or staffing loss 4. Recoverability concerns the reestablishment of services, either individually or as an organic whole

Types of Loss 1. People: individuals who directly or indirectly support a process, function, or product 2. Things: physical resources including electronic and virtual resources 3. Locations: the physical environments in which people perform work

Loss Triangle Locations Outer Triangle represents Normal Capabilities Inner Triangles represents capabilities remaining after loss incident People Innermost triangle represents level of loss that would not be recovered from Things

Iron Triangle of Constraints Scope Outer Triangle represents Normal Constraints Inner Triangle represents constraints during and after an incident Cost Time

Capabilities 1. Resources: physical assets required to provide or recover services (hardware, etc. ) 2. Procedures: activities, methods, practices, and instructions for the recovery of services (assessment, prioritization, etc. ) 3. Competencies: characteristics allowing individuals to function throughout recovery (leadership, training, technical skillsets)

Preparedness Triangle Resources Outer Triangle represents 100% preparedness Inner Triangle represents actual level of preparedness Competencies Procedures

Adaptive BC The Main Purpose of the Adaptive BC professional is to continuously improve an organization’s ability to recover services, individually and/or holistically, following a physical and/or staffing loss.

Continuous Improvement 1. Aperture: Opening on a camera lens that admits light on the film. Varying the aperture allows the photographer to get the best picture under the available light conditions. 2. Adaptive BC likens the improvement process to finding the aperture setting that provides the best preparedness under the prevailing loss and constraint conditions.

Documentation • No longer a goal in itself • Used as a reference point to help organize response • Provides the minimum structure needed to understand execute procedures • Continually evolving

Testing • • No longer used to validate specific RTOs Used as a training and learning tool Focus is to develop recovery capabilities Results provide feedback and suggestions for capability improvements

Implementing Program 1. Establish the Loss Triangle 2. Establish the initial Preparedness Triangle 3. Determine method to increase needed corners of the triangle 4. Adjust corners of preparedness triangle to reflect changes 5. Test to validate estimates in preparedness triangle 6. Establish and review metrics 7. Repeat steps 3 – 6 until preparedness reaches desired level

Observations • We have only scratched the surface of Adaptive BC • Examples provided in the book are all hypothetical • I was not able to find any organizations using Adaptive BC